The Ring doorbell application for Android contains third-party trackers and sends out a large amount of personally identifiable information (PII), the Electronic Frontier Foundation (EFF) has discovered.
The Ring app, the EFF says, sends user data to four main analytics and marketing companies, namely branch.io, mixpanel.com, appsflyer.com and facebook.com. Siphoned data includes names, IP addresses, network carriers, persistent identifiers, and sensor data.
Facebook is alerted when the app is opened, as well as when it is deactivated after the screen is locked, via the Graph API. Furthermore, data is sent to the social platform even if the user does not have an account, the EFF has discovered.
Information sent to Facebook includes time zone, device model, language preferences, screen resolution, and a unique identifier (anon_id). This identifier would persists even when the OS-level advertiser ID is reset.
To ‘deep’ linking platform Branch, Ring sends several unique identifiers (device_fingerprint_id, hardware_id, identity_id), along with the device’s local IP address, model, screen resolution, and DPI.
Information that big data company AppsFlyer is provided upon app launch includes mobile carrier, Ring installation date, unique identifiers, whether AppsFlyer tracking came preinstalled on the device, installed sensors (magnetometer, gyroscope, and accelerometer) and current calibration settings.
Business analytics service MixPanel receives the most information: “users’ full names, email addresses, device information such as OS version and model, whether Bluetooth is enabled, and app settings such as the number of locations a user has Ring devices installed in,” the EFF explains.
While MixPanel is mentioned in Ring’s list of third party services, none of the other trackers is. The extent of the data collection is not revealed either.
Google-owned crash logging service Crashalytics also receives information from Ring, but the EFF has yet to determine the exact extent of data sharing.
The app uses encrypted HTTPS to send the data in such a manner that eludes analysis, the foundation says.
The amount of data shared with third-parties, EFF notes, is alarming, as it allows these companies to easily track users across applications.
“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system,” EFF concludes.
Following security and privacy-related complaints, Amazon-owned Ring announced earlier this month that its iOS and Android applications will soon include a new Control Center from where users can manage privacy and security features and settings. The Control Center makes it easier for users to enable two-factor authentication, see who is logged into an account and log them out, review third-party service connections, and prevent local police departments from accessing footage from Ring cameras.